North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Prefix Hijack Tool Comaprision
Todd Underwood wrote:
i said that *this* hijacking took place in an insignificant corner of
Yet for someone monitoring from their own perspective, what matters to them is what their own AS is seeing. If a hijacking makes it to their AS, they want to be concerned.
real hijackings leak into dozens or hundreds or thousands of ASNs.
Wasn't there a dns hijack not long ago that only had the scope of one ISP (who just happened to be extremely large and carried a bunch of cell phones)? Just because a hijack only covers a small portion of the net doesn't make it any less effective. This is why we push to get as many access controls as far out to the edge as possible. If it only effects the person who tries it, then it has no bearing.
as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth.
Thresholds might be important, but different mileage, yada yada.